THE  WRIGHT  FLYER  PAPERS 


The  Department  of 
Defense  and  the  Power 
of  Cloud  Computing 

Weighing  Acceptable  Cost 
versus  Acceptable  Risk 


Steven  C.  Dudash 

Major,  Ohio  Air  National  Guard 

Air  Command  and  SrafF College 
Wright  Flyer  Paper  No.  52 


Air  University 

Steven  L.  Kwast.  Lieutenant  General  Commander  and  President 


Air  Command  and  Staff  College 

Thomas  H.  Deale.  Brigadier  General.  Commandant 
Bart  R.  Kessler,  PhD.  Dean  o<  Distance  Learning 
Robert ).  Smith.  Jr..  Colonel.  PhD.  Dean  ol  Resident  Programs 
Michelle  E.  Ewy  Lieutenant  Colonel.  PhD.  Director  ol  Research 
Liza  D.  Dillard.  Major.  Series  Editoe 
Gregory  Intoccia.  PhD.  Essay  Advisor 


Selection  Committee 

Anthony  Branick,  Major 
Carrie  E  Chappell  Major 
Liza  D.  Dillard.  Major 
Aaroo  P.  Doriani  Major 
Michelle  E.  Ewy.  Lieutenant  Colonel.  PhD 
Kevin  S.  Groff  Moor 
Thomas  E  Kiesling.  Major 
Edward  G.  Ouellette.  Major.  PhD 
Ryan  D.  Wadle.  PhD 


Please  send  inquiries  a  comments  to 
Editor 

The  WVigta  Pyei  Papers 

Department  ol  Research  and  Publications  (ACSODER) 
An  Command  and  StafiCollege 
225  Osenniuh  Clrde.  Bldg.  1402 
MaiweS  APB  AL  56112-6426 
Tel  (334)  953-3554 
Pax  (334)  953  2269 

E-mail  acsc.de  r.reseucbotpniflKa^’ai  of  mil 


AIR  UNIVERSITY 

AIR  COMMAND  AND  STAFF  COLLEGE 


The  Department  of  Defense  and  the 
Power  of  Cloud  Computing 

Weighing  Acceptable  Cost 
versus  Acceptable  Risk 

Steven  C.  Dudash 
Major.  Ohio  Air  National  Guard 


Wright  Flyer  Paper  No.  52 


Air  University  Press 
Air  Force  Research  Institute 
Maxwell  Air  Force  Base.  Alabama 


Published  by  Air  Uuventtr  Press  m  April  2016 


\iwa  S.  Huwm  d 


Careen  B«o» 

DamciArantiux* 

L  Sum  Ftif 

Q«fv«r»*  *u»J  iVc^»  iVad^rwo 
NedrtQbxw 

JW  AyMUi  mjf  Du!»rt*>r»3»i 
D*me  Ck*k 


Dinaot  PiAMur 
AJeu  G  Pcxk 

fi&MT  m  a»cf 
Oieste  M  kdflKO 


Do**  n\J  ProAtOkm  Msiupr 
<*“*1*1* 


A*  IfoivtrMiy  Pics* 

IS5  N.  Malog St,  BV%  493 
Mxxvkrl  AFB.  AL  361 12-6)26 

Jilaal 


Disclaimer 


Optn*ns.  conclusions.  ard  recommendations 
expressed  oc  implied  within  are  setoy  those  of  the 
author  and  do  not  Decessinly  represent  the  news  of 
the  Air  Command  ard  Staff  College,  the  Air  Force 
Research  Institute,  Air  University,  the  United  Stales 
An  Force,  the  Department  of  Defense,  or  any  other 
US  government  agency.  Cleared  for  public  release. 


AFRI  /A  lilferTC  Tk*  Flyer  Paper  and  others 
C___//U*|RESS  available  electron*  a£y  at  the  AU 

AIR  FORCt  UstARCM  LSSTTTVTI  http  iturprm  jii  if  mil.1 


ers  m  the  series  are 
AU  Press  wtfeate. 


Contents 


List  of  Illustrations  v 

Foreword  vii 

About  the  Author  lx 

Abstract  xi 

The  Problem  1 

Understanding  Cloud  Computing  3 

Virtualization  4 


Infrastructure  Models 


5 


Cloud  Services  6 

Infrastructure  as  a  Service  6 

Platform  as  a  Service  9 

Software  as  a  Service  10 


History  of  Department  of  Defense  Cloud  CompuUng 
United  States  Chief  Information  Officer 
Directives 

The  National  Defense  Authorization 
Act  of  2012 

Department  of  Defense  Cloud  Computing  Strategy 


11 

11 

12 
12 


Data  Security  Regulations/Standards 
The  E-Government  Act  of 2002 
Ihe  National  Institute  of  Standards  and  Technology 
Department  of  Defense  Instructions 


13 

13 

15 

17 


Current  Program  Evaluations  17 

Department  of  Defense  Cloud  Programs  Evaluated  1 7 

Ihe  Navy  18 

'Ihe  Air  Force  18 

The  Army’s  Information  Systems  Agency  18 

The  Defense  Information  System  Agency  19 

Federal  Commercial  Cloud  Service  Initiatives  19 


111 


Comparison  of  Alternatives  20 

The  Public  Solution  21 

The  Private  Solution  21 

rIhc  Hybrid  Solution  22 

Recommendations  22 

Perform  Security  Category  Revaluation  of  Systems 

and  Data  23 

Move  All  Noncommercial  Data  and  Services  to 

a  Private  Cloud  23 

Perform  Cost  Analysis  on  Where  To  Host 

Low  Security  Classification  Services  24 

Conclusion  24 

Abbreviations  29 

Bibliography  31 


Illustrations 


Table 

1  Cloud  service  matrix  10 

2  Potential  impact  definitions  for  security  objectives  16 

Figure 

1  IAAS  component  stack  and  scope  of  control  8 

2  PAAS  component  stack  and  scope  of  control  9 

3  SAAS  component  stack  and  scope  of  control  10 


V 


Foreword 


It  Is  my  great  pleasure  to  present  another  issue  of  The  Wright  Flyer 
Papers.  Through  this  series,  Air  Command  and  Staff  College  presents  a 
sampling  of  exemplary  research  produced  by  our  residence  and  distance  - 
learning  students.  This  series  has  long  showcased  the  kind  of  visionary 
thinking  that  drove  the  aspirations  and  activities  of  the  earliest  aviation 
pioneers.  This  years  selection  of  essays  admirably  extends  that  tradi¬ 
tion.  As  the  senes  title  indicates,  these  papers  aim  to  present  cutting- 
edge,  actionable  knowledge—  research  that  addresses  some  of  the  most 
complex  security  and  defense  challenges  facing  us  today. 

Recently,  The  Wright  Flyer  Papers  transitioned  to  an  exclusively  elec¬ 
tronic  publication  format.  It  is  our  hope  that  our  migration  from  print 
editions  to  an  electronic -only  format  will  fire  even  greater  intellectual 
debate  among  Airmen  and  fellow  members  of  the  profession  of  arms  as 
the  senes  reaches  a  growing  global  audience.  By  publishing  these  papers 
via  the  Air  University  Press  website.  ACSC  hopes  not  only  to  reach 
more  readers,  but  also  to  support  Air  Force-wide  efforts  to  conserve 
resources.  In  this  spirit,  we  invite  you  to  peruse  past  and  current  issues 
of  The  Wright  Flyer  Papers  at  http//aupress.maxwcU.afmil/papcrs_ali. 
asp?cat=WTight. 

Thank  you  for  supporting  The  Wright  Flyer  Papers  and  our  efforts  to 
disseminate  outstanding  A  CSC  student  research  for  the  benefit  of  our 
Air  Force  and  w%ar  fighters  everywhere.  We  trust  that  what  follows  will 
stimulate  thinking,  invite  debate,  and  further  encourage  todays  air, 
space,  and  cyber  war  fighters  in  their  continuing  search  for  innovative 
and  improved  ways  to  defend  our  nation  and  way  of  life. 


Brigadier  General,  USAF 
Commandant 


About  the  Author 


Ma)  Sieve  a  C.  Dudash  is  the  director  of  logistics  for  the  251st  Cyber¬ 
space  Engineering  Installation  Group.  He  began  his  military  career  as  an 
enlisted  wideband  communications  equipment  specialist  in  March  1987, 
and  earned  his  commission  through  the  Academy  of  Military  Science, 
the  Air  National  Guard  commissioning  program,  in  2001.  He  holds  a 
bachelor  of  science  degree  from  Franklin  University  and  a  master  of 
military  operational  art  and  science  degree  from  Air  University. 


Abstract 


Cloud  computing,  a  shared  pool  of  computing  resources  that  are  readily 
available  to  meet  the  users  rapidly  changing  demands,  has  opened  up 
many  new  opportunities  and  risks  for  society  that  in  many  ways  are  revo¬ 
lutionary.  The  Department  of  Defense  (DOD).  because  of  its  size  and 
mission,  faces  significant  opportunities  and  security  challenges  when 
implementing  a  cloud  computing  environment  The  transformation  of 
DOD  information  technology  (IT)  has  been  uneven  as  the  technology 
has  matured.  A  cloud- based  infrastructure  can  provide  extensive  savings 
for  the  DOD.  Currently,  there  is  an  estimated  75  percent  underutilization 
rate  in  current  configurations.  However,  a  cloud  configuration  intro¬ 
duces  new  potential  security  risks  that  DOD  IT  professionals  must  weigh 
when  evaluating  the  potential  cost  savings  associated  with  cloud  computing. 

The  implementation  of  a  private  DOD  cloud— an  infrastructure  solely 
owned  and  operated  by  the  DOD  supporting  all  DOD  components — could 
realize  savings  while  reducing  or  eliminating  the  nsks  associated  with 
cloud  computing.  This  paper  evaluates  existing  policy,  guidance,  law  and 
regulation,  and  recent  efforts  within  the  DOD  to  implement  a  cloud- 
computing  infrastructure.  There  are  three  key  recommendations  for  the 
DODs  transformation  to  make  the  most  of  cloud  computing:  standardize 
security  categorization,  implement  a  DOD  private  cloud,  and  evaluate  the 
most  cost-effective  commercial  cloud  solutions  with  the  least  security  nsk. 
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The  Problem 


Complete  confidence  in  the  trustworthiness  of  information 
technology,  users,  and  interconnections  cannot  he  achieved ; 
therefore  the  Department  of  Defense  must  embrace  a  risk 
management  approach  that  balances  the  importance  of  the  in¬ 
formation  and  supporting  technology  to  DOD  missions  against 
documented  threats  and  vulnerabilities,  the  trustworthiness  of 
users  and  interconnecting  systems,  and  the  effectiveness  of  IA 
solutions. 

Department  of  Defense  Instruction  8500.2 


The  Department  of  Defense  (DOD)  spends  over  38  billion  dollars  per 
year  on  information  technology  (IT)  supporting  over  two  million  users 
and  10,000  operational  systems.1  As  the  US  Congress  looks  to  decrease 
the  DOD  budget  in  order  to  achieve  a  balanced  budget,  the  DOD  must 
look  at  methods  to  live  within  its  budget  and  still  meet  mission  require¬ 
ments.  At  38  billion  dollars  per  year.  IT  becomes  an  obvious  target  for 


The  US  chief  information  officer  (CIO)  published  the  December  2010 
2S  Point  Implementation  Plan  to  Reform  Federal  Information  Technology 
Management,  which  called  for  a  “cloud  first"  approach  in  implementing 
IT  infrastructure.2  The  20 12  National  Defense  Authorization  Act  (NDAA) 
calls  for  DOD  data  and  services  to  be  migrated  to  the  commercial  doud 
infrastructure.  It  fails  to  provide  clear  guidance  on  the  approach  federal 
agencies  should  take  in  supporting  this  “cloud  first*4  directive,  however.5 
The  NDAA  does  not  provide  guidance  on  how  to  identify'  the  proper  mix 
of  commercial  and  private  cloud  infrastructure  while  maintaining  the 
proper  level  of  security  for  the  infrastructure,  services,  and  data.  While 
clouds  are  an  industry-proven  way  to  reduce  IT  infrastructure  and  there¬ 
fore  cost,  this  migration  must  not  be  done  in  a  manner  that  places  the 
DOD  data  at  risk. 

According  to  the  National  Institute  of  Standards  and  Technology,  “cloud 
compuung  is  a  model  for  enabling  ubiquitous,  convenient,  on-demand 
network  access  to  a  shared  pool  of  configurable  computing  resources 
(e.g.,  networks,  servers,  storage,  applications,  and  services)  that  can  be 
rapidly  provisioned  and  released  with  minimal  management  effort  or 
service  provider  interaction."4  This  complex  definition  of  doud  comput¬ 
ing  docs  little  to  highlight  the  key  benefits  as  well  as  the  key  security  nsk 
of  doud  computing:  “shared  pool**  From  a  user’s  perspective,  this  shared 
pool  of  resources  is  a  “cloud"  of  unknowns.  The  user  docs  not  know 


where  the  supporting  IT  resources  supporting  reside  and  what  the  laws 
and  regulations  concerning  data  availability  and  privacy  are  at  that  loca¬ 
tion.  The  user  may  have  no  knowledge  with  whom  the  resources  are 
shared  and.  therefore,  has  no  knowledge  of  the  security  process  utilized 
by  these  neighbors  in  the  cloud.  A  neighbor  practicing  security  standards 
lower  than  that  of  the  DOD  will  put  DOD  system s  and  data  at  a  risk  level 
comparable  to  that  of  their  neighbors  in  the  cloud.  Just  as  a  user  browses 
a  Web  page  on  the  public  Internet  and  may  not  know’  the  idenuty  and 
location  of  the  host,  so  too  a  user  may  face  similar  unknowns  about  the 
cloud.  However,  it  is  this  shared  pooling  of  resources  that  provides  one  of 
the  greatest  benefits  of  cloud  computing— economies  of  scale.  According 
to  John  K.  Waters,  writing  for  the  award-winning  ClO.com .  “the  aver¬ 
age  enterprise  utilizes  somewhere  between  5  percent  and  25  percent  of  its 
server  capacity."5  Unfortunately,  it  is  this  shared  pool  of  resources,  espe¬ 
cially  shared  resources  in  a  commercial  environment,  that  also  creates 
numerous  risks  not  usually  seen  in  the  traditional  client/server  IT  models. 

Without  overall  federal  guidance,  the  DOD  and  its  three  military 
components  have  been  left  to  their  own  devices  to  develop  their  doud 
strategy  within  their  assigned  budgets.  The  DOD  waited  over  18  months 
after  the  US  CIO  published  the  “doud  first"  policy  to  establish  its  first 
strategic  guidance.  That  guidance  came  after  the  initial  deadline  for  the 
components  had  passed. 

As  a  result,  the  three  military  components  have  established  three  dif¬ 
ferent  paths  to  achieve  a  doud  presence.  While  the  benefits  of  cloud  com¬ 
puting  are  increasingly  understood,  by  failing  to  wrork  as  a  single  organi¬ 
zation,  the  DOD  does  not  take  advantage  of  economies  of  scale.  It  seems 
to  be  unable  to  adequatdy  address  devated  security  nsks  posed  by  com¬ 
mercial  cloud  infrastructure.  Consequently,  individual  DOD  compo¬ 
nents  and  agencies  are  developing  different  doud  strategies  indepen¬ 
dently.  Then  the  question  becomes.  How’  should  the  DOD  implement  a 
shared  pool  of  configurable  computing  resources  (a  cloud  computing 
environment),  ensuring  savings  through  economies  of  scale  while  ade¬ 
quately  protecting  the  DOD  s  data  and  services? 

The  DOD  should  build  and  mandate  the  use  of  a  DOD  private  doud 
computing  environment  able  to  provide  core  IT  services  and  data  storage 
for  all  DOD  components  in  order  to  accomplish  its  strategic  objectives 
on  cloud  computing.  This  type  of  infrastructure  can  achieve  significant 
economies  of  scale  across  the  entire  DOD  w’hile  minimizing  the  nsks  as¬ 
sociated  with  doud  computing. 

Both  the  problem  /  solution  and  the  evaluation  methodologies  will  be 
utilized  to  find  an  acceptable  combination  of  commercial  public  doud 
service  with  DOD  private  cloud  service  that  provides  cost  savings  and 
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required  levels  of  system  and  data  security.  By  analyzing  the  cloud  infra¬ 
structure.  legal  requirements  in  cloud  computing,  data  security  require¬ 
ments  of  the  Federal  Information  Processing  Standards  (FIPS),  and  opera¬ 
tional  considerations,  several  potential  cloud  model  alternatives  will  be 
presented.  Looking  at  “commercial  only."  “private  ontyf  and  "hybrid** 
models,  the  strengths  and  weakness  of  each  will  be  shown.  Finally,  a 
series  of  recommendations  will  be  presented  that  should  allow  the  DOD 
to  achieve  economies  of  scale  through  the  power  of  cloud  computing 
while  still  ensuring  adequate  protection  to  the  systems  and  data. 


Understanding  Cloud  Computing 

As  stated  earlier,  the  goal  of  doud  computing  is  to  create  a  rapidly  con¬ 
figured.  on-demand,  shared  pool  of  resources.  It  is  through  these  goals 
that  cloud  computing  has  the  potential  to  provide  a  cheaper,  hands  off, 
more  secure  IT  infrastructure.  The  first  of  these  benefits,  cheaper  infra¬ 
structure.  is  provided  by  economies  of  scale.  Tim  Hindle  in  the  Economist 
defines  “economies  of  scale"  as  “factors  that  cause  the  average  cost  of  pro¬ 
ducing  something  to  fall  as  the  volume  of  its  output  increases."4  If  the 
DOD  applies  the  proposed  doud  computing  concepts,  DOD  IT  infra¬ 
structure  could  be  consolidated  from  numerous  inefficient  data  centers 
to  fewer,  more  efficient,  large-scale  data  centers,  which  would  increase 
output — economies  of  scale. 

The  “hands  off"  benefit  of  cloud  compuung  depends  on  perspective, 
whether  that  of  the  user,  the  business,  or  the  cloud  provider.  This  paper  will 
focus  on  the  business  perspective — that  is,  the  point  of  view  of  the  orga¬ 
nization  providing  goods  or  services  and  requiring  IT  services  to  meet 
those  needs.  The  businesses  would  include  the  military  components  and 
agencies  of  the  DOD.  Ignoring  the  newer  realm  of  cyber  operations  and 
focusing  on  the  IT  services  required  by  the  DOD— what  does  doud  com¬ 
puting  bnng  to  businesses?  According  to  Salcsforce.com.  a  commercial 
doud  provider,  “With  cloud  computing  . . .  you're  not  managing  hard¬ 
ware  and  software— that’s  the  responsibility  of  an  experienced  vendor 
like  Salcsforce.com.  The  shared  infrastructure  means  it  works  like  a  utility': 
You  only  pay  for  what  you  need,  upgrades  are  automatic,  and  scaling  up 
or  down  is  easy."7  From  a  component  or  agency  perspective,  a  DOD  private 
cloud  will  allow’  a  hands-off  approach  to  the  doud  with  a  core  business  focus. 

The  third  benefit  of  doud  computing,  more  secure  IT  infrastructure, 
occurs  through  the  consolidation  of  similar  services.  Recently,  the  De¬ 
fense  Information  Systems  Agency  (DISA)  was  able  to  halt  the  spread  of 
a  malware  attack  on  the  DOD  private  cloud  e-mail  services  because  it  was 
possible  to  view  the  entire  process,  not  just  its  pieces.  Mark  Orndorff, 


DISAs  director  of  mission  assurance  and  network  operations  stated  that 
"those  attacks  would  have  been  essentially  undetected  if  you  )ust  had  lit¬ 
tle  pieces  of  that  picture  scattered  around  the  DOD  cyber  workforce."* 
This  paper  will  also  show  the  new  security  issues  lurking  in  the  shadows  of 
cloud  computing. 

Just  as  clouds  m  the  sky  take  on  many  different  shapes  and  sizes,  the 
benefits  of  cloud  computing  described  above  can  be  delivered  through 
clouds  of  many  different  shapes  and  sizes.  A  cloud  environment  is  known 
by  its  implementation  model  and  by  the  services  that  it  provides— infor¬ 
mation  as  a  service  (IAAS),  platform  as  a  service  (PAAS),  or  software  as 
a  service  (SAAS).  Regardless  of  the  model  or  service  selected,  the  process 
of  implementing  a  cloud- computing  environment  starts  with  server 
virtualization. 


Virtualization 

To  use  a  very’  generic  definition  of  server  virtualization,  “a  virtual 
server  mimics,  using  software  alone,  the  behavior  and  capabilities  of  a 
stand-alone  computer."*  One  of  the  first  physical  steps  taken  in  the 
migration  from  a  traditional  IT  infrastructure  to  a  cloud  computing 
environment,  virtualization  also  provides  many  of  the  benefits  called  for 
in  the  2012  NDAA .  David  Marshall,  an  architect  of  numerous  virtual 
solutions  and  wnter  for  lnfowcnid,  has  identified  the  top  10  benefits  of 
server  virtualization: 

•  energy  savings. 

•  data  center  footprint  reduction. 

•  quality  assurance  /  lab  environments. 


•  hardware  vendor  lock-in  reduction, 

•  uptime  increase. 

•  improved  disaster  recovery. 

•  application  isolation* 

•  life  extension  of  older  applications,  and 

•  help  moving  things  to  the  cloud1* 

Server  virtualization  docs  indeed  reduce  costs  through  economies 
of  scale. 
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Virtualization,  however,  also  opens  up  a  new  security  risk  not  typi¬ 
cally  seen  in  the  traditional  IT  environment:  multitenancy.  The  "hyper¬ 
visor."  controlled  through  the  application,  creates  numerous  virtual 
servers,  also  known  as  virtual  machines  (VM).  These  VMs  arc  each  avail¬ 
able  for  “rent"  to  any  customer  that  requires  this  service.  In  a  DOD  pri¬ 
vate  cloud,  all  the  customers  will  be  DOD  entities.  In  a  commercial  cloud, 
the  customers  could  be  anyone,  including  the  DOD.  the  federal  govern¬ 
ment,  private  citizens,  foreign  countries,  or  rogue  entities.  Discussion  of 
the  cloud  models  will  show  that  the  impact  multitenancy  has  on  any  particu¬ 
lar  customer  will  depend  on  the  level  of  control  and  the  amount  of  shar¬ 
ing  a  customer  is  willing  to  accept 

While  numerous  vendors  provide  hypervisor  software  capable  of  creat¬ 
ing  a  VM  environment.  Bill  Kleyman  of  Data  Centex  Knowledge  has  iden¬ 
tified  the  "Big  Three"  hypervisors:  VMware  vSphere  5,  Citrix  XenScrver  6, 
and  Microsoft  Hyper- V.11  With  multiple  VMs.  multiple  applications  can 
run  on  a  single  physical  server.  Numerous  organizations  and  users  could 
use  each  of  the  VMs  hosted  on  the  physical  servers.  The  Cloud  Security 
Alliance  notes  that  "the  lowest  common  denominator  of  security’  will  be 
shared  by  all  tenants  in  the  multitenant  virtual  environment."12 


Infrastructure  Models 

National  Institute  of  Standards  and  Technology  (NIST)  Special  Publi¬ 
cation  (SP)  800-145,  The  Nl ST  Definition  o/CJoud  Computing,  Identifies 
four  deployment  models  for  cloud  computing  the  private  cloud,  com¬ 
munity  cloud,  public  cloud,  and  hybrid  cloud.  Each  of  these  models  is 
implemented  to  allow  varying  access  to  the  cloud  resources. 

" Private  cloud.  The  cloud  infrastructure  is  provisioned  for  the  exclu¬ 
sive  use  by  a  single  organization  comprising  multiple  consumers  (e.g., 
business  units).  It  may  be  owned,  managed,  and  operated  by  the  organi¬ 
zation,  a  third  party’,  or  some  combination  of  them,  and  it  may  exist  on  or 
off  premises."  A  DOD  private  cloud  would  be  solely  owned,  operated  and 
managed  by  the  DOD  on  a  DOD  premise.  This  cloud  would  be  used  by 
all  DOD  components  and  agencies  (business  units).  "Community  cloud. 
The  cloud  infrastructure  is  provisioned  for  exclusive  use  by  a  specific 
community  of  consumers  from  organizations  that  have  shared  concerns 
(e.g.,  mission,  security’  requirements,  policy,  and  compliance  consider¬ 
ations).  It  may  be  owned,  managed,  and  operated  by  one  or  more  of  the 
organizations  in  the  community,  a  third  party,  or  some  combination  of 
them,  and  it  may  exist  on  or  off  premises."  A  DOD  community’  cloud 
would  also  be  solely  owned,  operated,  and  managed  by  the  DOD  on  a 
DOD  premise.  However,  individual  DOD  components  and  agencies 
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(business  units)  could  maintain  their  own  individual  "private  clouds." 
" Public  cloud.  The  cloud  infrastructure  is  provisioned  for  open  use  by  the 
general  public.  It  may  be  owned,  managed  and  operated  by  a  business, 
academic,  or  government  organization,  or  some  combination  of  them.  It 
exists  on  the  premises  of  the  doud  provider.  DOD  might  participate  in  a 
public  doud— an  external,  commercially  owned  doud,  solely  owned,  op¬ 
erated.  and  managed  by  a  commercial  organization  capable  of  supporting 
both  government  and  private  entities.  “ Hybrid  cloud.  The  doud  infra¬ 
structure  is  a  composition  of  two  or  more  distinct  doud  infrastructures 
(private,  community,  or  public).  They  remain  unique  entities  but  are 
bound  together  by  standardized  or  proprietary  technolog)*  that  enables 
data  and  application  portability  (e.g..  doud  bursting  for  load  balancing 
between  clouds).  It  is  through  this  varying  access  that  the  levd  of  accepted 
security  risk  is  set"  DOD  might  participate  in  a  hybrid  doud— a  doud 
modd  composed  of  two  or  more  douds  of  the  previously  defined  models: 
private,  community  or  public.  However,  due  to  security  concerns  that 
will  be  addressed  later,  interaction  between  the  private  and  community 
models  will  have  limited  interaction  with  any  pubic  portions.13 


Cloud  Sen  ices 

There  are  typically  three  doud  services:  IAAS,  PAAS,  and  SAAS.  To¬ 
gether,  these  build  on  each  other,  providing  more  service  to  the  customer 
while  limiting  customers'  abilities  to  operate,  maintain,  and  secure  their 
data  and  services.  The  type  of  doud  service  provided  ultimately  deter¬ 
mines  the  size  of  an  IT  department  a  customer  needs.  As  a  customer 
moves  through  the  cloud  services  from  IAAS  to  PAAS  and  finally  to 
SAAS,  the  IT  department  shrinks.  This  also  means  the  customer  becomes 
more  reliant  on  the  doud  provider  for  operational  capability  and  regula¬ 
tor)*  compliance.  This  results  in  cost  savings  obtained  through  outsourcing 
to  a  public  cloud  that  are  balanced  against  the  level  of  risk  a  customer  is 
willing  to  accept.  See  table  1  in  the  discussion  of  SAAS  below  for  a  quick 
comparison  of  the  IT  services  made  available  through  the  various  doud 
services. 

Infrastructure  as  a  Service 

The  foundation  on  which  all  doud  services  are  built,  IAAS  starts  the 
consolidation  and  virtuali2auon  process,  developing  savings  based  on 
economies  of  scale.  The  virtualization  process  mentioned  above  allows 
doud  providers  to  utilize  their  resources  more  efficiently.  Creating  multiple 
VMs  on  a  single  server  increases  the  utilization  rate  of  the  server,  thus 
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reducing  the  number  of  servers  required.14  This  reduction  m  servers  re¬ 
duces  the  square  footage  required  to  host  these  servers;  heating,  ventila¬ 
tion.  and  air  conditioning  (HVAC)  requirements;  electrical  costs;  and  the 
staff  required  to  maintain  equipment  and  facilities.  Savings  are  created 
through  economies  of  scale. 

However,  this  is  where  the  customer  starts  to  lose  control  of  the  IT 
infrastructure.  The  IAAS  provider  ow’ns  the  fundamental  infrastructure 
required  for  a  cloud-computing  environment  This  includes  building  fa¬ 
cilities  (data  center)  and  all  associated  support:  physical  security.  HVAC 
electricity,  and  so  on.  In  addition  to  the  physical  environment,  the  doud 
provider  also  hosts  many  of  the  network  devices  required  to  control  the 
flow*  of  data  to  and  from  the  VMs.  These  devices  control  the  flow  of  data 
internal  to  the  cloud,  and  they  become  shared  resources  among  all  cloud 
users.  They  also  provide  interfaces  for  users  to  access  the  cloud  environ¬ 
ment.  VMs  include  routers  for  controlling  the  flow  of  data,  switches  to 
interconnect  the  various  network  devices,  firewalls  to  control  the  types  of 
data  traffic  that  are  allowed  in  or  out,  proxy’  servers  for  controlling  user 
access  to  Web  pages,  and  large-scale  storage  for  data  management.  Each 
of  these  devices  allows  access  to  the  cloud  resources  and  prevents  unau¬ 
thorized  access.  All  of  these  devices  are  under  control  of  the  cloud  pro¬ 
vider.  Likewise,  the  provider  has  a  very  large  role  in  IT  infrastructure 
security  and  protection.  The  customer  m  an  IAAS  environment  provides 
operating  systems  and  applications  running  on  VMs.  NIST  SP  800-146, 
Cloud  Computing  Synopsis  and  Recommendation^  states  that  "in  general, 
IAAS  places  more  system  management  responsibility’  on  subscribers 
than  cither  SAAS  or  PAAS;  subscribers  need  to  manage  the  VMs  and 
virtualized  infrastructure  and  need  to  perform  system  administrator 
work.'*15  Figure  1  shows  the  division  of  responsibility’  with  respect  to  the 
IT  hardware  involved  The  IAAS  provider  controls  the  hardware  and  hy¬ 
pervisor  (defined  in  the  virtualization  section),  and  the  user  controls  the 
operating  systems,  middleware,  and  applications. 
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Figure  1.  IAAS  component  slack  and  scope  of  control.  {Repnnted  front  lee 
Badger.  Tim  Crance,  Robert  Fan-Comer,  and  leffVoas.  Special  Publication 
<SP)  000-146.  Draff  Cloud  Computing  Synopsis  and  RecommeodaiWns, 
National  Institute  of  Standards  and  Technology,  May  201 1 .) 


Platform  as  a  Service 

PAAS  is  the  next  building  block  in  cloud  computing.  This  service  has 
the  cloud  provider  taking  on  more  of  the  IT  functions  and  further  reducing 
the  role  the  user  plays  in  configuring,  managing,  and  securing  IT  services 
and  data.  In  addition  to  the  core  service  provided  by  IAAS.  PAAS  pro¬ 
vides  a  platform  for  the  user  to  develop  applications.  Acunetics.com 
describes  Web  applications  as  "computer  programs  allowing  Website 
visitors  to  submit  and  retrieve  data  to/from  a  database  over  the  Internet 
using  their  preferred  Web  browser.  The  data  is  then  presented  to  the  user 
within  their  browser  as  information  generated  dynamically  (in  a  specific 
format,  e.g.  in  Hypertext  Mark-up  Language  using  Cascading  Style 
Sheets)  by  the  Web  application  through  a  Web  server."16  These  platforms 
provided  by  the  PAAS  provider  may  include  but  are  not  limited  to  oper¬ 
ating  systems  such  as  Windows  or  Linux,  database  functions  such  as 
Special  Query  Language  or  dBase,  or  Web  servers  such  as  Apache  or 
Microsoft  Internet  Information  Server.  PAAS  ultimately  provides  services 
to  the  user  as  a  Web-based  application,  with  the  majority  of  the  pro¬ 
cessing  taking  place  in  the  doud  provider  s  infrastructure.  Thus,  PAAS 
applications  are  very  dependent  on  browser  technologies  and  secure 
connections  to  the  doud  service  provider.17  However,  with  PAAS,  the 
end-user  organization  has  the  capability  to  develop,  operate,  and  main¬ 
tain  applications  on  the  doud  provider's  infrastructure.  Application  security 
rests  with  the  end-user  organization  while  network  security  rests  with 
the  doud  provider.  Figure  2  shows  the  division  of  responsibility  with  re¬ 
spect  to  IT.  The  PAAS  provider  controls  the  hardware.  VM  software,  and 
the  operating  system.  The  user  controls  only  the  middleware  and  applications. 
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Figure  2.  PAAS  component  stack  and  scope  of  control.  { Reprinted  from  Lee 
Badger.  Tim  Grance,  Robert  Pitf-Comer.  and  |eff  Voas,  Special  Publication  (SP) 
800-1 46,  Urjft  Chad  Comparing  Synopsis  and  Recommendations. 
National  Institute  of  Standards  and  Technology.  May  2011.) 


Software  at  a  Service 


The  final  building  block  in  the  cloud  service  model  is  SAAS.  This  model 
provides  maximum  service  to  the  user  while  at  the  same  time  taking  or  most 
if  not  all  of  the  security  for  the  user.  lust  as  with  PAAS.  with  SAAS  applica¬ 
tions,  the  user's  browser  Is  the  Interface  for  the  application."  h  is  up  to  the 
users  organization  to  ensure  that  service-level  agreements  (SLA)  or  contracts 
with  cloud  providers  stipulate  their  operational,  maintenance,  and  security 
needs.  Figure  3  and  table  1  show  the  division  of  responsibility.  The  SAAS 
provider  controls  the  hardware.  VM  software,  operating  systems,  middle¬ 
ware.  and  applications.  The  user  only  has  limited  application  control 
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History  of  Department  of  Defense  Cloud  Computing 

The  Air  Force  maintains  that  "controlling  the  portions  of  cyberspace 
integral  to  our  mission  is  a  fundamental  prerequisite  to  effective  opera¬ 
tions  across  the  range  of  military  operations."1’  Migration  of  the  DODs 
combat  support  information  technology  to  a  cloud  infrastructure  is  not 
as  simple  as  picking  a  commercial  provider.  In  fact,  numerous  directives 
and  public  laws  control  the  DODs  and  its  components'  and  agencies' 
abilities  to  migrate  to  cloud  computing,  and  many  organizations  are  un¬ 
certain  how  to  proceed.  A  study  conducted  by  Norwich  University  found 
that  over  43  percent  of  the  federal  agencies  surveyed  were  uncertain  how 
they  would  implement  this  "cloud  first*  approach.  Over  80  percent  indi¬ 
cated  that  they  were  either  uncertain  or  did  not  believe  that  current  federal 
security’  standards  meet  their  needs  for  establishing  a  cloud  infrastructure.® 
Recent  and  pending  legislation  like  the  Revised  Cybersecurity  Act  of  2012 
and  the  executive  order  "Improving  Critical  Infrastructure  Cybersecurity* 
shows  a  focus  on  threat  information  sharing  and  protecting  privacy  and 
civil  liberties.13  All  of  these  hinge  on  protecting  the  civilian  networks  that 
are  critical  to  the  US  economy  and  industrial  infrastructure. 

While  current  policy  has  failed  to  catch  up  with  the  cloud  environ¬ 
ment.  DISA  has  still  managed  to  make  great  strides  in  the  deployment  of 
a  private  DOD  cloud.  Meanwhile,  the  commercial  clouds  leave  signifi¬ 
cant  gaps  in  security’  and  consistency  while  the  identification  and  certifi¬ 
cation  of  providers  also  lag  behind. 


United  States  Chief  Information  Officer  Directives 

According  to  the  Federal  Cloud  Computing  Strategy  (FCCS):  "The  federal 
governments  current  information  technology  (IT)  environment  is  char¬ 
acterized  by  low  asset  utilization,  a  fragmented  demand  for  resources, 
duplicative  systems,  environments  which  are  difficult  to  manage,  and 
long  procurement  lead  times.  These  inefficiencies  negatively  impact  the 
Federal  Governments  ability  to  serve  the  American  public."  Because  of 
this,  the  US  CIO  has  called  for  a  cloud  first  policy  recognizing  the  benefits 
of  cloud  technology.  Goud  first  focuses  on  the  high-level  surface  benefits 
of  cloud  computing— economy,  flexibility’,  and  speed— as  well  as 
"shift (ing]  focuses  from  asset  ownership  to  service  management."22  The 
plan  also  required  agencies  to  perform  their  initial  migration  of  three 
internal  services  to  a  cloud  infrastructure  within  18  months.25 

Unfortunately,  the  US  CIO  cloud  strategy  seems  more  focused  on  the 
cloud  as  a  commercial  enterprise  than  as  an  internal  infrastructure.  This 
is  evident  m  the  time  frame  of  18  months  identified  for  initial  migration 
and  in  the  fact  the  FCCS  specifically  realizes  that  “years  (arc]  required  to 
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build  data  centers  for  new  services.*'24  Furthermore*  the  FCCS  calls  for 
data  center  consolidation  through  the  reduction  of  applications  "hosted 
within  government-owned  data  centers."25  With  this,  it  is  clear  that  com¬ 
mercial  clouds  are  the  desired  end  state.  Indeed,  the  US  CIO  directives 
seem  to  preclude  the  development  of  an  internal  private  cloud  that  could 
provide  many  if  not  all  of  the  benefits  of  a  commercial  cloud. 

The  National  Defense  Authorization  Act  of  2012 

The  2012  NDAA  is  consistent  with  the  US  CIO  direction  of  cloud  first 
and  sets  in  place  requirements  for  IT  transformation.  First,  the  NDAA 
calls  for  a  reduction  of  IT  infrastructure  such  as  square  footage  of  data 
centers  and  utility  usage  (power  and  HVAC).  There  are  requirements  for 
reductions  in  investment  capital,  numbers  of  applications  being  utilized 
personnel,  and  the  time  required  to  expand  IT  services  using  a  “Just¬ 
in -time"  service-delivery  model  and  for  increasing  multiorganization  us¬ 
age.2*  All  of  these  requirements  are  consistent  with  the  utilization  of 
cloud  computing  infrastructure,  especially  for  a  private  DOD  cloud  envi¬ 
ronment  rather  than  cloud  environments  for  each  component  or  agency. 

However  the  NDAA  also  went  further  by  requiring  that  the  DOD 
CIO  develop  a  plan  for  the  "migration  of  Defense  data  and  government 
provided  services  from  department-owned  and  operated  data  centers  to 
cloud  computing  services."^  Further,  there  is  a  call  for  “utilization  of  pri¬ 
vate  sector  managed  security  services  for  data  centers  and  cloud  comput¬ 
ing  services"2*  These  requirements  do  not  allow  proper  evaluation  of  a 
DOD  cloud  that  would  be  capable  of  providing  the  same  cost  savings  an- 


Department  of  Defense  Cloud  Computing  Strategy 

Released  in  July  2012,  the  DOD  Cloud  Computing  Strategy  ( DODCCS) 
clarifies  the  DODs  view  on  the  role  commercial  cloud  providers  should 
play  within  a  DOD  cloud.  Specifically,  the  DODCCS  recognizes  that  cyber¬ 
security  within  the  commercial  cloud  environment  has  significantly  im¬ 
proved  and  continues  this  trend.25  The  launching  of  the  Federal  Risk  and 
Authorization  Management  Program  (FEDRAMP)  program,  which  will 
be  discussed  later,  has  made  access  to  precertified  commercial  vendors 
even  easier  for  federal  agencies.  However,  the  DOD  also  recognizes  that 
significant  risks  to  the  DOD  IT  infrastructure  are  present,  and  migra¬ 
tion  to  commercial  cloud  environments  increases  these  risks.*  Even  with 
this  realization,  the  DODCCS  still  pushes  forward  with  the  migration  of 
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DOD  data  to  commercial  cloud  infrastructures.  The  DOD  is  looking  to 
"leverage  externally  provided  cloud  sendees,  Le.,  commercial  services,  to 
expand  cloud  offerings  beyond  those  offered  within  the  Department’* 
while  continuing  to  develop  the  internal  DOD  core  cloud  services.51  Further¬ 
more,  the  DOD  wants  to  migrate  its  IT  system  with  low  or  moderate  risk 
levels  to  commercial  cloud  infrastructure.  These  nsk  levels  will  be  covered 
later  with  cloud  standards  and  IT  regulations.  The  NDAA  and  the 
DODCCS  push  forward  with  commercialization  without  first  establishing 
a  robust  private  cloud  and  then  evaluating  the  need  and  cost  effectiveness 
of  commercialization. 

Data  Security  Regulations/Standards 

Moving  from  a  traditional  client/server  configuration  to  a  cloud¬ 
computing  configuration  does  not  relieve  the  federal  departments  and 
agencies  from  meeting  regulatory  requirements  to  protect  federal  IT  systems 
and  the  data  they  store.  These  identify  responsibilities  and  set  the  security 
standards.  However,  many  of  these  requirements  were  written  pnor  to  the 
establishment  of  cloud  computing  environments  and,  therefore,  do  not  address 
the  nsks  associated  with  cloud  computing.  Still,  others  provide  only  very 
high-level  guidance  with  respect  to  the  cloud  environment  and  leave  the 
individual  components  and  agencies  to  set  actual  security  standards. 

The  E-Government  Act  of 2002 

Enacted  in  December  2002,  Public  Law  107-347  establishes  "a  broad 
framew’ork  of  measures  that  require  using  Internet-based  information 
technology*  to  enhance  citizen  access  to  Government  information  and 
services,  and  for  other  purposes.**32  Subchapter  3,  "Information  Security,** 
provides  "a  comprehensive  framework  for  ensuring  the  effectiveness  of 
information  security  controls  over  information  resources  that  support 
federal  operations  and  assets.**33  This  framework  is  knowm  as  the  Federal 
Information  Security  Management  Act  of 2002  (FISMA).  The  FISMA  re¬ 
quires  identifying  standards  for  cloud  computing: 

•  the  establishment  of  the  criteria  for  measuring  information  security 
and 


the  establishment  of  the  NIST  as  the  organization  responsible  for 
setting  security  standards  for  federal  information  system. 


The  FISMA  identifies  three  security  objectives  for  securing  informa¬ 
tion  systems: 

Confidentiality:  Preserving  authorized  restrictions  on  access  and 
disclosure,  including  means  for  protecting  personal  privacy  and 
proprietary'  information; 

Integrity':  Guarding  against  improper  information  modification  or 
destruction,  and  includes  ensuring  information  nonrepudiation 
and  authenticity;  and 

Availability':  Ensuring  timely  and  reliable  access  to  and  use  of  in¬ 
formation.54 

While  each  of  these  security  objectives  is  critical  to  the  security  of  the 
underlying  IT  infrastructure  of  the  cloud,  they  are  not  necessary  consid¬ 
erations  in  a  cloud-computing  environment  A  quick  look  at  each  area 
will  help  identify  the  specific  areas  that  must  be  considered  in  a  cloud 
environment. 

The  DOD  implementation  of  public  key'  infrastructure  <PKI)  has  been 
addressed  the  first  two  areas,  confidentiality  and  integrity.  The  DISA 
states  that  PKI  provides  identification  and  authentication,  data  integrity', 
confidentiality,  and  technical  nonrepudiation.55  PKI  provides  integrity'  by 
applying  a  “digital  signature"  that  the  identifies  of  the  data  source  and 
confirms  that  the  information  has  not  been  tampered  with.  Encryption  of 
the  data  provides  confidentiality’.  This  is  where  a  cloud  environment  can 
start  to  fall  short  of  meeting  the  security'  requirements.  As  stated  earlier. 
PAAS  and  SAAS  are  mostly  Web-based  applications,  with  the  PKI  en¬ 
cryption  between  the  user  and  the  Web  application.  Depending  on  the 
access  level  the  provider  has  to  the  cloud  service,  this  potenually  could 
give  the  cloud  provider  unauthorized  access  to  data. 

Perhaps  the  biggest  issue  with  respect  to  the  cloud  environment  is 
availability'.  Cloud  services  previously  identified  are  IAAS.  PAAS.  and 
SAAS.  With  the  successive  application  of  each,  cloud  service  providers 
take  on  more  responsibility  for  providing  the  IT  infrastructure  and  take 
away  user  control.  While  contractual  requirements  in  SLA  may  specify 
"reliability'  rates,"  the  owner  of  the  cloud  controls  the  user  s  ability  to 
access  and  use  data  and  services. 
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The  National  Institute  of  Standards  and  Technology 

The  NIST  is  identified  in  the  FISMA  as  the  organization  responsible 
for  the  development  of  standards  related  to  the  security  of  IT  systems, 
and  it  produces  numerous  publications  about  securing  IT  systems.  These 
include  special  publications  and  Federal  Information  Processing  Stan¬ 
dards  publications  (FIPS  pub).The  cornerstone  for  identifying  the  stan¬ 
dard.  FIPS  Pub  199,  Standards  for  Security  Categorization  of  Federal  In¬ 
formation  and  Information  Systems,  lays  out  the  process  for  categorizing 
the  likely  effects  of  data  or  systems  compromises  on  an  organization. 
These  security  categories  are  defined  in  terms  of  an  IT  systems  ability*  to 
achieve  the  FISMA  security*  objectives  of  confidentiality,  integrity,  and 
availability*.  Each  security*  objective  is  given  a  risk  value  of  low,  moderate, 
or  high.  An  objective  is  at  low  risk  if  compromise  could  result  in  “limited 
adverse  effects.**  Moderate  risks  could  result  in  “serious  adverse  effects.** 
and  high  risks  could  result  in  “severe  or  catastrophic  adverse  effects.** 
Taken  directly*  from  FIPS  PUB  199,  table  2  shows  the  criteria  used  to 
categorize  the  IT  systems  and  data. 

Applying  the  criteria  in  table  2,  the  evaluator  will  come  up  with  a 
security  category  (SC),  using  the  format  below*  for  each  IT  systems  and 
data  types  using  the  formula  “SC  informauon  type  =  ((confidentiality*, 
impact),  (integrity,  impact),  (availability,  impact)).** 

Once  a  system  has  been  categorized,  FIPS  Pub  200,  Minimum  Security 
Requirements  for  Federal  Information  and  Information  Systems,  and  SP 
800-53,  Security  and  Privacy  Controls  for  Federal  Information  Systems  and 
Organizations,  are  used  to  identify*  the  appropriate  security*  measures 
for  protection  of  the  systems  and  data.37  Consistent  security  categori¬ 
zation  is  missing  across  the  federal  government  and  especially  in  the 
DOD.  NIST  SP  800-60  attempts  to  refine  this  process  by  first  separating 
the  data/ systems  into  four  business  categories— service  for  citizens,  mode 
of  delivery,  support  delivery  of  services,  and  management  of  government 
resources.34  The  SP  then  provides  recommendations  for  each  category. 

These  are  recommendations,  and  system  ow*ners  have  the  ultimate 
authority*  to  set  each  category.  Furthermore.  these  recommendations  were 
written  before  there  was  a  requirement  to  utilize  doud  technology*.  These 
categorizations  do  not  consider  that  IT  systems  and  data  may  end  up  in  a 
public  cloud,  exposed  to  the  higher  security  risks  associated  with  those  envi¬ 
ronments.  Finally*,  military*  operations  are  not  specifically  identified  and,  there¬ 
fore.  are  referred  to  best-fit  business  categories.  The  DOD  is  left  on  its  own. 


Table  2.  Potential  impact  definitions  for  security  objectives 


POTENTIAL  IMPACT 


Security  Cfcjeclrve  LOW 


Preserving  authorized 
restnctions  on 
information  access 
and  disclosure, 
including  means  foe 
protecting  personal 
privacy*  and  pro¬ 
prietary  information. 
[44  U.S.C.  SEC  35421 


i  limited 


' - ■ 


on  organiza¬ 
tional 
operations, 
organizational 
assets,  or 
individuals. 


The  unauthorized 
disclosure  of 
nformation  could 
be  expected  to  have 
a  serious  adverse 
effect  on  organiza¬ 
tional  operations, 
organizatxmal 
assets,  or  irtdrviduals. 


The  un author 
ized  disclosure 
of  information 
could  be  ex* 
peeled  to  have  a 


catastrophic 
adverse  effect 
on  organiza¬ 
tional  opera¬ 
tions.  organiza¬ 
tional  assets,  or 
ndroduals. 


ibfegr/fy 

Guarding  against 
improper  information 
modification  or 
destruction,  and 
includes  ensuring 
information  nonrepu- 
diatxn  aid  aiihrrtictfy 
[44  U.S.C.  SEC  3S421 


AvaMMty 
Ensunng  timely  and 
reliable  access  to  and 
use  of  information. 

[44  U.S.C.  SEC  3S421 


The  unauthor¬ 
ized  madifica 
tion  or 

deduction  of 
information 
could  be 


have  a  limited 
adverse  effect 
on  organiza¬ 
tional 
operations, 
organizational 
assets,  or 
individuals. 


The  unauthorized 
modification  or 
destruction  erf 
n formation  could 
be  expected  to  have 
a  serious  adverse 
effect  on  organiza¬ 
tional  operations, 
organizatxmal 
assets,  or  indrviduals. 


information  or 
an  irrformabon 
system  could 
be  expected  to 
have  a  limited 
adverse  effect 
on  organiza¬ 
tional 
operations, 
organizational 
assets,  or 
individuals. 


The  disruption  orf 
access  to  or  use  of 
information  or  an 
nformation  system 
could  be  expected 
to  have  a  serious 
adverse  effect  on 
organ  izatnnal 
operations, 
organ  izatKinal 
assets,  or  irdrviduals. 


The  unaixhcr- 
ized  modifica¬ 
tion  or 
destruction  erf 
nformation 
could  be  ex¬ 
pected  to  have  a 


catastrophic 
adverse  effect 
on  organiza¬ 
tional  opera 
bons.  organiza¬ 
tional  assets,  cr 
ndrvduals. 


The  disruption 
of  access  to  or 
use  erf  informa¬ 
tion  or  an 
nformation 
system  could  be 


have  a  severe  or 
catastrophic 

adverse  effect 
on  organiza¬ 
tional  epera- 
bons.  organiza¬ 
tional  assets,  or 
ndrv'iduals. 


towed  from  FIPS  Pub  199.  SUnd*ds  kr  Security  Crtegortzaficn  of  Federal  Inlormaaxn  ad 
Uformatfcn  System.  MST.  Fdmuiy  20CU 


Department  of  Defense  Instructions 

The  categorization  process  described  in  the  previous  section  is  not 
new.  However,  the  public  sector  has  not  had  to  deal  with  the  categoriza¬ 
tion  process.  Public  cloud  infrastructure  used  for  DOD  purposes  would 
be  a  DOD  IT  infrastructure  that  is  subject  to  FISMA  certification  and 
accreditation  processes.  According  to  DODI  8510.01,  DOD  Information 
Assurance  Certification  and  Accreditation  Process  (DIACAP),  the  respon¬ 
sibility  for  meeting  FISMA  requirements  is  at  the  component  and  agency 
leveL*  Once  again,  this  delegation  of  categorization  responsibility  does 
not  allow  for  standardization  of  the  process  and,  therefore,  is  not  clear 
DOD  guidance  for  migration  to  commercial  cloud  infrastructure. 

Another  arena  where  the  DOD  departs  from  the  practices  of 
other  federal  agencies  and  the  IT  industry  is  in  the  area  of  operations 
security  (OPSEC).  DODD  5205.02Ev  DOD  Operations  Security  Program » 
defines  the  OPSEC  process  as  identifying  and  protecting  pieces  of  infor¬ 
mation  that  when  put  together  may  have  value  to  an  adversary’,  thus  pre¬ 
senting  an  unacceptable  risk.*  The  Washington  Post  printed  an  OPSEC 
anecdote  where  a  Dominos  Pizza  franchise  owner  claimed  he  could  pre¬ 
dict  significant  events  based  on  an  increase  in  pizza  deliveries  in  the 
Washington.  DC.  area.41  The  accuracy  of  the  story  is  debated,  but  a  sim¬ 
ple  piece  of  information  can  lead  to  information  of  value  to  our  enemies. 
Likewise,  the  owner  of  a  cloud  environment  has  access  to  the  server 
utilization  rates.  While  the  cloud  owner  may  not  have  access  to  the  actual 
data,  it  would  be  possible  to  tell  when  activity  has  increased,  perhaps  an 
indicator  of  near  future  DOD  activity  and  a  clear  OPSEC  risk. 

Current  Program  Evaluations 

The  US  CIOs  December  2010  call  for  migration  to  cloud  computing 
required  each  federal  agency’  to  identify'  three  services  for  migration  to 
the  cloud  and  to  have  that  migration  complete  within  18  months.42 
TVenty-six  months  later,  the  DOD  strategy  on  cloud  computing  was  only 
six  months  old,  and  the  military  components  and  other  federal  agencies 
were  building  their  own,  independent  paths  toward  cloud  computing. 
Furthermore,  the  federal  structure  to  provide  commercial  cloud  infra¬ 
structure.  FEDRAMP,  has  significant  shortcomings  with  respect  to  sup¬ 
port  for  DOD  cloud  requirements. 

Department  of  Defense  Cloud  Programs  Evaluated 

The  failure  of  the  DOD  to  implement  a  cohesive  cloud  computing  strat¬ 
egy  has  allowed  the  Army.  Navy,  Air  Force,  and  DISA  to  take  diverging 
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11  to  maximize  economics  of  scale.  Compounding  these  failuics 
in  economics  of  scale*  each  of  the  military  components  of  the  DOD  has 
migrated  specific  systems  to  commercial  clouds  without  considering  the 
consequences  to  its  own  IT  infrastructures. 

The  Navy.  The  Department  of  the  Navy  (DON)  is  currently  migrating 
from  the  existing  Navy-Marine  Corps  Intranet  (NMC1)  to  the  new  Next 
Generation  Enterprise  Network  (NGEN).  This  plan  highlights  many  of 
the  failures  of  the  DOD  to  manage  cloud  computing  and  highlights  one 
of  the  increased  security  nsks  associated  with  commercial  IT  infrastructure* 
including  commercial  clouds. 

First*  the  DON  published  the  NGEN:  network  operations  concept  of 
operations  (CONOPS)  in  April  2008.  This  CONOPS  is  a  USNfUSMC- 
centercd  plan  for  a  government-owned,  contractor-operated  infrastruc¬ 
ture  without  any  mention  of  cloud  concepts  or  services.43  As  such,  this 
plan  fails  to  take  advantage  of  the  economies  of  scale.  In  fact*  the  Govern¬ 
ment  Accountability  Office  (GAO)  in  a  2012  report  found  “DON  has  not 
yet  shown  that  it  is  pursuing  the  most  cost-effective  approach  for  acquiring 
NGEN  capabilities:'44 

Finally,  this  transition  from  NMCI  to  NGEN  highlights  a  serious  security 
nsk  associated  with  contracted  service,  availability.  This  is  one  of  the 
three  security  factors  addressed  in  the  FJSMA  standards.  The  same  GAO 
report  indicated  that  the  DON  had  to  award  a  $3.4  billion  contract  to 
bridge  the  gap  between  the  end  of  the  NMCI  contract  and  transition  to 
the  NGEN  infrastructure.45  Had  this  negotiation  failed,  the  DON  would 
have  faced  a  network  and  mission  failure. 

The  Air  Force.  The  goal  of  the  Air  Force  Network  (AFNET)  program 
is  to  create  one  enterprise  network  for  the  Air  Force  through  the  consoli¬ 
dation  of  over  400  base  networks.44  However,  while  the  Air  Force  is  claiming 
one  enterprise  network,  it  also  recognizes  that  it  “will  not  try  to  make 
AFNET  all  things  to  all  people.*47  Even  as  this  transformauon  progresses* 
key  end  users  such  as  Air  Combat  Command  (ACC)  are  struggling  to 
understand  what  the  “enterprise"  is.  Brig  Gen  David  Uhrich*  ACC  director 
of  communications*  was  quoted  as  saying,  “The  first  thing  I’d  like  to  know 
is  what  the  heck  is  the  enterprise?  Has  anybody  seen  a  definition  of  the 
core  services  the  enterprise  will  provide?*'44  Ma)  Gen  Suzanne  Vautnnot, 
commander*  Air  Force  Cyber  Command  stated*  “Getting  the  enure  mili¬ 
tary  onto  something  that  resembles  one  network  is  going  to  be  a  costly 
and  slow  process."43  Indeed,  the  Air  Force  is  transforming  and  has  down¬ 
played  efforts  to  develop  a  DOD  doud  transformation  solution. 

The  Army’s  Information  Systems  Agency.  The  Army  is  perhaps  the 
success  story.  Its  migration  to  cloud  service  has  taken  two  approaches  in 
line  with  the  2012  NDAA.  First,  a  commercial  cloud  provider  was  utilized. 
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SaJcsforcc.com.  for  the  Army  Recruiting  Information  Support  Systems 
(ARISS).  This  program  proved  invaluable  to  the  Army,  converting  an 
estimated  SI  million  infrastructure  procurement  to  a  $S4,000/year  com¬ 
mercial  contract  This  new  system  resulted  in  “faster  application  up¬ 
grades.  dramatically  reduced  hardware  and  IT  staff  costs,  and  signifi¬ 
cantly  increased  staff  productivity"50  However,  availability  of  this  system 
is  still  dependent  on  successful  contract  negotiations  and  fulfillment. 
This  is  only  one  of  the  Army's  IT  systems.  Transforming  a  single  system 
docs  not  take  advantage  of  the  capacities  of  existing  systems  and  the  econ¬ 
omies  of  scale  that  would  be  available  with  an  Army  private  cloud. 

The  Defense  Information  Systems  Agency 

DISA  is  leading  the  way  for  the  development  of  a  private  DOD  cloud 
computing  environment  in  conjunction  with  the  Army.  Operational  in  2008, 
DISA  implemented  its  Rapid  Access  Computing  Environment  (RACE) 
as  an  IAAS  capability  available  to  all  DOD  components  and  agencies. 
Specifically,  the  RACE  is  a  “self-service  provisioning  Web  portal,  allow¬ 
ing  DOD  users  to  provision  servers  within  a  secure  computing  environ¬ 
ment."51  The  Army  has  capitalized  on  these  DISA  service  capabilities  by 
migrating  e-mail  services  to  the  DISA- provided  capability.  To  date,  over 
500.000  e-mail  users  are  on  the  DISA-provided  service.  The  Army  antici¬ 
pates  this  will  save  over  $380  million  through  fiscal  year  2017.53 

Federal  Commercial  Cloud  Service  Initiative 

Established  to  precertify  commercial  cloud  providers,  the  FEDRAMP 
has  large  gaps  in  its  ability  to  provide  commercial  cloud  providers  that 
meet  DOD  demands.  The  following  are  the  purposes  of  the  FEDRAMP: 

•  ensure  that  cloud-based  services  used  government-wide 
have  adequate  information  security, 

•  eliminate  duplication  of  effort  and  reduce  risk- management 
costs,  and 

•  enable  rapid  and  cost-effective  procurement  of  information 
systems  /  services  for  federal  agencies.**' 

The  following  are  the  goals  of  the  FEDRAMP: 

•  accelerating  the  adoption  of  secure-cloud  solutions  through 
reuse  of  assessments  and  authorizations. 

•  increasing  confidence  in  the  security  of  cloud  solutions. 
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•  achieving  consistent  security  authorizations  using  a  baseline 
set  of  agreed-upon  standards  and  accredited  independent 
third-party  assessment  organizations. 

•  ensuring  consistent  application  of  existing  security  practices, 

•  increasing  confidence  in  security  assessments,  and 

•  increasing  automation  and  near  real-time  data  for  continuous 
monitoring.*4 


Despite  these  purposes  and  goals,  FEDRAMP  is  not  capable  of  meeting  the 
stringent  demands  of  DOD  security.  The  FEDRAMP  CONOPS  specifically 
states.  "FEDRAMP  defines  a  set  of  controls  for  low  and  moderate  impact  level 
systems."55  Indeed,  the  FEDRAMP  program  cannot  be  a  complete  solution  It 
only  provides  certification  for  two  of  the  three  levels  of  certification 

Finally,  two  of  the  biggest  concerns  with  commercial  clouds  arc  geo¬ 
location  of  data  and  multitenancy  on  the  hardware.  Gcolocation  refers  to 
knowing  the  exact  physical  location  of  the  data.  With  a  commercial 
cloud.  DOD  data  could  be  located  on  any  physical  server  within  the  pro¬ 
viders'  clouds.  This  location  could  include  countries  with  different  law’s 
on  privacy  of  data  than  those  of  the  United  States  and  could  include 
countries  hostile  to  the  United  States.  In  an  article  written  for  the  Naval 


Postgraduate  School  on  data  sovereignty,  the  authors  point  out  that  veri¬ 
fying  where  one’s  data  is  physically  located  is  a  critical  issue.54 

Multitenancy  refers  to  data  or  services  of  different  customers  residing 
on  the  same  physical  hardware.  This  is  where  commercial  doud  providers 
make  their  money  through  economies  of  scale.57  [ust  as  with  gcolocation 
of  data,  this  could  result  in  US  data  being  physically  located  in  countries 
or  with  that  of  parties  hostile  to  the  United  States.  Rob  Carey,  deputy 
DOD  CIO.  found  this  to  be  a  significant  security  risk  in  utilizing  com¬ 
mercial  infrastructure.54  Unfortunately.  FEDRAMP  does  not  address 
this..  Instead,  individual  users  must  address  this  critical  issue  of  security 
in  SLAs5* 


Comparison  of  Alternatives 

Goud  computing,  its  associated  risks  and  benefits,  and  the  fact  that 
DOD  military  components  and  agencies  have  to  develop  individual 
cloud  strategies  were  previously  explained.  Unfortunately,  this  DOD 
hands-off  approach  is  flawed.  Intended  to  "address  use  of  commercial 
cloud  services  in  the  Departments  multiprovider  enterprise  cloud  envi¬ 
ronment,"  the  approach  fails  to  capitalize  on  the  economics  of  scale  that 
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are  possible.*3  This  approach  has  allowed  the  military  components  and 
agencies  to  maintain  redundant  systems  and  contract  with  several  com¬ 
mercial  cloud  providers.  There  are  three  potential  cloud  models  for  the 
DOD  to  consider  implementing:  public  solution,  private  solution,  and 
a  hybrid  solution. 

The  Public  Solution 

The  National  Security  Agency  (NSA>  identified  increased  security 
risks  as  the  greatest  issue  with  public  clouds:  "Due  to  this  issue  of  the 
movement  of  the  trust  boundary,  public  clouds  (whereby  cloud  resources 
are  dynamically  provisioned  over  the  Internet)  represent  the  greatest 
challenge  from  a  security  perspective."41  The  DODCCS  and  FEDRAMP 
both  recognized  the  risks  associated  with  public  clouds  in  their  common 
policy  of  not  utilizing  commercial  providers  for  any  systems  above  a 
moderate  security  classification,  (on  Toigo  of  Informationweek.com 
notes  that  SLAs  that  ensure  security  beyond  the  moderate  level,  force 
cloud  providers  to  violate  their  economies  of  scale  and  reduce  the  cost 
benefits  to  the  customer.42  Moving  DOD  data  and  services  to  commercial 
clouds  presents  a  much  larger  level  of  risk.  Rob  Carey,  deputy  DOD  CIO, 
points  out  that  one  of  the  significant  security  risks  to  utilizing  commercial 
infrastructure  is  "multitenancy"  that  is  inherent  in  commercial  cloud  in¬ 
frastructures  "  Furthermore,  with  data  on  a  commercial  cloud  poten¬ 
tially  residing  anywhere  m  the  world,  the  sovereignty  of  DOD  data  could 
be  in  jeopardy.  Vivek  Kundra,  federal  CIO,  states  that  this  is  a  matter  of 
international  law  which  is  still  to  be  addressed  and  resolved.44  Some  argue 
that  commercial  providers  have  made  significant  progress  in  securing 
their  networks  to  meet  DOD  requirements.  However,  the  General  Services 
Administration  has  yet  to  list  any  FISMA -certified  commercial  SAAS 
vendors  on  the  Info.apps.gov  Website.  IAAS  vendors  are  also  not  certi¬ 
fied  to  provide  service  across  all  FISMA  categories  of  security.  This 
means  that  commercial  vendors  cannot  fully  support  the  DOD  require¬ 
ments.45  With  an  estimated  75-95  percent  excess  capacity  within  the 
typical  DOD  IT  enterprise,  enormous  cost  savings  are  available  in  the 
consolidation  of  DOD  IT  infrastructure  before  even  considering  a  move 
to  commercial  clouds.  Given  the  increased  security  risks  or  decreased 
economies  of  scale,  a  public  cloud  does  not  present  a  valid  option. 

The  Private  Solution 

The  cloud -computing  concept  could  yield  positive  financial  results. 
However,  smaller  companies  employing  private  clouds  do  not  realize 
these  kinds  of  results.  Only  extremely  large  data  centers  can  provide  true 
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economies  of  scale  through  cloud  computing."  With  over  772  data  centers 
across  the  DOD,  the  whole  organization,  not  the  individual  components 
and  agencies,  is  clearly  an  extremely  large  IT  enterprise.*7  The  whole 
DOD  would  be  capable  of  achieving  very  large  economies  of  scale. 

Locating  all  infrastructure  in  the  “internal  data  centers’*  of  a  private 
cloud  diminishes  many  of  the  security  nsks.  Geolocation  and  data  sover¬ 
eignty  cease  to  be  issues.  All  data  facilities  within  a  private  cloud  would 
be  DOD  facilities  located  on  DOD  property.  This  makes  the  systems  and 
data  subject  to  US  law.  As  for  multitenancy  users  of  the  DOD  private 
cloud  would  be  limited  to  the  DOD  components  and  agencies. 

There  are  significant  disadvantages  to  this  solution.  It  does  not  meet 
the  NDAA  requirement  to  utilize  commercial  resources,  and  it  does  not 
make  doud  computing  a  hands-off  endeavor  from  a  DOD  perspective. 
The  first  issue  will  be  dealt  with  subsequently.  This  solution  takes  respon¬ 
sibility  for  managing  hardware  and  software  off  the  components  and 
agencies  and  consolidates  it  at  the  DOD  level.  From  the  component  and 
agency  perspective,  the  cloud  is  a  hands-off  solution. 


The  Hybrid  Solution 

The  last  model  is  the  h>hnd  model,  which  best  identifies  the  current 
structure  of  DOD  cloud  computing.  This  model  could  meet  the  NDAA 
mandate  to  use  commercial  providers.  As  previously  noted,  however,  com¬ 
mercial  economies  of  scale  present  higher  security  risks  to  the  systems 
and  data.  With  the  security  requirements  left  to  the  individual  compo¬ 
nent  or  agency,  there  is  no  clear,  overall,  standard  guidance  on  security 
classification.  Therefore  identifying  data/semces  that  should  migrate  to 
the  commercial  portion  of  the  hybrid  cloud  is  complex  Smce  the  compo¬ 
nents  and  agencies  are  to  identify  the  data/services  for  migration  and 
SLA  through  the  FEDRAMP  process,  the  DOD  misses  economies  of 
scale  in  the  contract  arena.  Multiple  contracts  could  potentially  be  com¬ 
bined  for  better  pricing.  Migrating  data/ services  to  the  commercial  cloud 
pnor  to  building  the  private  DOD  cloud  may  miss  the  economies  of  scale 
still  available  to  host  those  services  on  a  private  doud. 


Recommendations 

The  US  CIO  directives,  the  NDAA.  and  the  DODCCS  all  call  for  the 
use  of  commercial  doud  infrastructure  as  a  part  of  the  DOD  doud  migra¬ 
tion.  These  directives  call  for  paralld  paths  with  commercial  and  private 
doud  development  occurring  simultaneously.  Tari  Takai,  DOD  CIO. 
said,  “We  don’t  want  to  see  an  ad  hoc  move  to  the  cloud;  we  want  to  see  a 


22 


DOD-widc  perspective."**  Even  with  this,  the  DODCCS  allows  for  the 
potential  use  of  multiple  commercial  vendors  and  numerous  individual 
component  and  agency  cloud  solutions.  This  is  completely  contrary  to 
the  concept  of  -a  DOD-widc  perspective."  There  may  very  well  be  data 
that  can  safely  be  placed  on  a  commercial  cloud.  However,  until  the  DOD 
private  cloud  is  fully  implemented,  a  migration  to  a  commercial  cloud 
would  be  a  move  into  uncharted  territory’  and  ill-advised. 

The  following  proposals  are  made  to  migrate  the  DOD  to  a  cloud  en¬ 
vironment.  ensuring  risk  mitigation  and  maximum  economies  of  scale 
while  heading  down  a  path  that  ultimately  allows  for  a  potential  hybrid 
solution. 

Perform  Security  Category  Revaluation  of  Systems  and  Data 

First,  decide  what  data  and  services  ought  to  move  to  a  commercial 
cloud.  The  DOD  needs  to  evaluate  its  directions  provided  in  DIACAP. 
The  process  needs  to  be  standardized  across  all  components  and  agencies 
to  ensure  that  all  similar  data  and  services  are  given  the  same  security 
classification.  This  process  also  needs  to  develop  a  set  of  sensitivity  levels 
and  protection  requirements  for  unclassified  data  for  commercial  cloud 
migration.  This  means  determining  the  data  and  services  that  can  be 
placed  on  commercial  cloud  services  without  nsks  associated  with  geo¬ 
location.  multitenancy,  data  sovereignty,  and  availability.  These  standards 
of  evaluauon  should  then  be  used  throughout  the  remaining  processes. 

Move  All  Noncommercial  Data  and  Serv  ices  to  a  Private  Cloud 


The  next  step  should  be  to  implement  a  private  DOD  doud  that  max¬ 
imizes  the  available  economies  of  scale  while  applying  the  required  level 
of  security  needed.  This  should  happen  before  migrating  any  data/ services 
to  the  commercial  cloud.  The  DISA,  with  an  existing  cloud  environment, 
including  the  RACE  and  DOD  Enterprise  Email,  should  be  mandated  to 
build  the  DOD  private  cloud  infrastructure.  All  DOD  components  and 
agencies  should  be  required  to  migrate  to  the  DISA  private  cloud  infra¬ 
structure.  This  ought  to  be  done  to  reduce  significantly  or  eliminate  the 
security  risks  associated  with  cloud  computing.  In  addiuon,  the  size  of 
the  DOD  IT  infrastructure  should  enable  the  maximum  economics  of 
scale  through  doud  computing. 
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Perform  Cost  Analysis  on  Where  To  Host  Low-Security 
Classification  Services 

Once  data  and  services  that  cannot  be  hosted  in  a  commercial  cloud 
are  secured  within  the  private  DOD  cloud,  a  detailed  cost  analysis  of 
hosting  “commercial-ready*  data  and  services  on  the  existing  private 
cloud  versus  hosting  on  a  FEDRAMP- approved  commercial  cloud  should 
be  conducted.  This  analysis  should  be  done  at  the  DOD  level  and  not  at 
the  individual  component  and  agency  level.  More  importantly  it  should 
not  be  done  at  the  individual  program  level  as  is  the  current  practice.  The 
migration  should  take  place  if  it  is  more  cost-effective  and  there  are  no 
data/ system  protection  issues— geolocation,  multitenancy  data  sover¬ 
eignty  and  availability.  However,  if  cost  savings  cannot  be  found  to  be 
more  cost-effective,  the  DOD  should  engage  Congress  to  reevaluate  the 
requirements  set  forth  in  the  2012  NDAA. 

Conclusion 

The  DOD  transformation  to  cloud  computing  is  off  to  a  rather  poor 
start  This  is  exactly  the  sort  of  start  that  Tan  Takai  was  hoping  to  avoid 
as  the  DOD  attempts  to  develop  a  “standardized  approach  to  cloud  com¬ 
puting  adoption.*6*  To  date,  the  transformation  lacks  a  focus  that  permits 
the  DOD  to  achieve  economies  of  scale  and  docs  not  ensure  adequate 
protections  for  the  IT  systems  and  data. 

The  US  CIOs  25  Point  Implementation  Plan  to  Reform  Federal  Infor¬ 
mation  Technology  Management,  his  2011  Federal  Cloud  Computing 
Strategy,  and  the  congressional  mandate  in  the  NDAA  have  set  forth  a 
path  to  cloud  transformation  that  is  focused  on  commercial  cloud  pro¬ 
viders.  Facing  the  requirement  to  complete  a  first  migration  to  the  cloud 
in  18  months,  the  DOD  left  it  to  the  components  and  agencies  to  find 
individual  solutions  to  meet  this  requirement.  It  was  20  months  after  the 
US  CIO  directive  before  the  release  of  the  DODCCS  providing  initial  uni¬ 
form  guidance  for  the  components  and  agencies  to  follow. 

Outdated  policy  and  regulations  do  not  specifically  address  the  new 
and  increased  risks  associated  with  cloud  computing:  geolocation,  data 
sovereignty  multitenancy,  and  availability.  These  new  and  existing  risks 
are  much  more  severe  in  a  commercial  cloud  environment.  Current 
guidelines  are  vague  and  leave  to  the  individual  components  and  agencies 
to  categorize  the  security  level  of  IT  systems  and  to  identify  the  systems 
and  data  appropriate  for  the  elevated  risks  associated  with  commercial 
doud  computing  environments.  The  NS  A  and  DOD  CIO  have  both  publicly 
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recognized  that  placing  IT  systems  and  data  in  a  commercial  cloud  envi¬ 
ronment  put  these  systems  and  data  at  an  elevated  risk. 

The  options  available  to  the  DOD  for  cloud  transformation  each  have 
their  benefits  and  associated  nsks.  Placing  the  entire  DOD  cloud  infra¬ 
structure  on  a  commercial  cloud  is  clearly  not  an  option.  The  security 
nsks  associated  with  a  commercial  doud  are  too  high  and  attempting  to 
mitigate  or  eliminate  the  risks  would  eliminate  the  savings  achieved 
through  economics  of  scale. 

The  development  of  a  DOD  private  doud  provides  the  best  option  to 
achieve  savings  through  economies  of  scale  while  still  providing  the  re¬ 
quired  level  of  protection  needed  to  secure  DOD  systems  and  data,  in- 
duding  providing  OPSEC.  Unfortunatdy.  there  are  still  the  US  CIO  and 
NDAA  requirements  to  utilize  commercial  cloud  providers. 

The  third  option  of  using  both  commercial  and  private  cloud  infra¬ 
structure  (hybrid)  provides  the  best  chance  to  meet  regulatorily  as  well  as 
nsk  mitigation  requirements.  However,  until  a  DOD  private  doud  has 
been  implemented,  the  cost  savings  available  through  partial  commer- 
dalization  cannot  be  identified. 

It  is  not  too  late  to  develop  a  DOD  strategy  that  ensures  protection  of 
the  DOD  IT  systems  and  at  the  same  time  takes  advantage  of  the  econo¬ 
mies  of  scale  available  at  the  DOD  level  First,  the  DOD  should  standardize 
system  for  categorizing  the  protection  levels  assigned  to  its  data  and 
systems.  Second,  the  DOD  should  devdop  and  mandate  the  use  of  a  private 
DOD  doud.  Then  the  DOD  should  evaluate  the  potential  cost  savings  as¬ 
sociated  with  using  commercial  doud  providers  with  the  least  nsk  to 
data  and  systems.  These  steps  will  allow  the  DOD  to  harness  the  power  of 
doud  computing  while  balancing  an  acceptable  risk  at  an  acceptable  cost. 
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Air  Force  Network 

ARISS 

Army  Recruiting  Information  Support  Systems 

CIO 
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CONOPS 

concept  of  operations 

DIACAP 

DOD  Information  Assurance 

Certification  and  Accreditation  Process 

DISA 

Defense  Information  Systems  Agency 

DOD 

Department  of  Defense 

DODCCS 

DOD  Cloud  Computing  Strategy 

DON 

Department  of  the  Navy 

FCCS 

Federal  Cloud  Computing  Strategy 

FEDRAMP 

Federal  Risk  and  Authorization 

Management  Program 

FIPS 

Federal  Information  Processing  Standards 

FIPS  Pub 

FIPS  publication 

FISMA 

Federal  Information  Security 

Management  Act  of 2002 

GAO 

Government  Accountability  Office 

HVAC 

heating,  ventilation,  and  air  conditioning 

IAAS 

information  as  a  service 

IT 

information  technology 

NDAA 

National  Defense  Authorization  Act 

NGEN 

Next  Generation  Enterprise  Network 

NIST 

National  Institute  of  Standards  and  Technolog)’ 

NIST  SP 

NIST  special  publication 

NMCI 

Navy-Marine  Corps  Intranet 

NSA 

National  Security  Agency 

OPSEC 

operations  security 

PAAS 

platform  as  a  service 

PKI 

public  key  infrastructure 

RACE 

Rapid  Access  Computing  Environment 

SAAS 

software  as  a  service 

SC 

security  category 

SLA 

service-level  agreements 

USA 

Army 

USAF 

Air  Force 

USMC 

Marine  Corps 

USN 

Navy 

VM 

virtual  machine 
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